Ocelot + IdentityServer4 構建 GateWay

上一篇已經構建好了例子，接下來將IdentityServer4添加到Ocelot中去實現

配置一個客戶端配置，可以構建一個簡單的客戶端信息，這里我用的混合模式，配置比較多，對於客戶端模式而言實際很多都不需要設置

只需要構如下即可 

  ClientId="liyouming",
   ClientName="ChinaNetCore",
   ClientSecrets={new Secret("liyouming".Sha256()) },
   AllowedGrantTypes= GrantTypes.ClientCredentials,
  AccessTokenType= AccessTokenType.Jwt,
  AllowedScopes={
                       "openid",
                       "profile",
                       "UserServicesApi"
                    }

對於Ocelot而言你只需要在之前的配置中添加AuthenticationOptions節點參數配置

{
  "ReRoutes": [
    {
      "DownstreamPathTemplate": "/api/values/getuser",
      "DownstreamScheme": "http",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": 20001
        },
        {
          "Host": "localhost",
          "Port": 20001
        }
      ],
      "UpstreamPathTemplate": "/test",
      "UpstreamHttpMethod": [ "Get" ],
      "LoadBalancer": "LeastConnection",
      "ServiceName": "userservices",
      "UseServiceDiscovery": true,

      "AuthenticationOptions": {
        "AuthenticationProviderKey": "usergateway",
        "AllowScopes": [ "UserServicesApi" ]
      }
    }
  ],

  "GlobalConfiguration": {
    "BaseUrl": "http://localhost:20000",
    "ServiceDiscoveryProvider": {
      "Host": "localhost",
      "Port": 8500

    }

  }
}

 "AuthenticationOptions": {
        "AuthenticationProviderKey": "usergateway",
        "AllowScopes": [ "UserServicesApi" ]
      }

AuthenticationProviderKey 其實就是授權的authenticationscheme
allscopes 就是 apiresource中配置的授權訪問范圍，這里配置的即 ApiName

同時還需要在網關添加授權驗證服務，配置好授權地址 ApiName(scope),以及對renefrence or jwt or both 和 secret 如果沒有使用https 需要設置RequireHttpsMetadata =false

 services.AddAuthentication()
                .AddIdentityServerAuthentication("usergateway", options => {
                    options.Authority = "http://localhost:30000";
                    options.ApiName = "UserServicesApi";
                    options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Both;
                    options.ApiSecret = "liyouming";
                    options.RequireHttpsMetadata = false;


            });

使用PostMan 來測試下功能

不清楚獲取Token地址可以訪問配置文件查看

http://localhost:30000/.well-known/openid-configuration

{
    "issuer": "http://localhost:30000",
    "jwks_uri": "http://localhost:30000/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "http://localhost:30000/connect/authorize",
    "token_endpoint": "http://localhost:30000/connect/token",
    "userinfo_endpoint": "http://localhost:30000/connect/userinfo",
    "end_session_endpoint": "http://localhost:30000/connect/endsession",
    "check_session_iframe": "http://localhost:30000/connect/checksession",
    "revocation_endpoint": "http://localhost:30000/connect/revocation",
    "introspection_endpoint": "http://localhost:30000/connect/introspect",
    "frontchannel_logout_supported": true,
    "frontchannel_logout_session_supported": true,
    "backchannel_logout_supported": true,
    "backchannel_logout_session_supported": true,
    "scopes_supported": ["openid", "profile", "UserServicesApi", "offline_access"],
    "claims_supported": [],
    "grant_types_supported": ["authorization_code", "client_credentials", "refresh_token", "implicit"],
    "response_types_supported": ["code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token"],
    "response_modes_supported": ["form_post", "query", "fragment"],
    "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
    "subject_types_supported": ["public"],
    "id_token_signing_alg_values_supported": ["RS256"],
    "code_challenge_methods_supported": ["plain", "S256"]
}

1、通過 http://localhost:30000/connect/token獲取token
 
客戶端模式需要四個參數 
client_id
client_secret
grant_type
scope

 直接訪問test提示401沒授權

 

這里拿到了 access_token,接下來通過access_token訪問GateWay中的test